Skip to content
This repository was archived by the owner on Mar 9, 2022. It is now read-only.

Commit ae0ed2f

Browse files
Random-LiuRandom-Liu
committed
Add RunAsGroup support.
Signed-off-by: Lantao Liu <[email protected]>
1 parent f99f0be commit ae0ed2f

File tree

2 files changed

+27
-0
lines changed

2 files changed

+27
-0
lines changed

pkg/server/container_create.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ limitations under the License.
1717
package server
1818

1919
import (
20+
gocontext "context"
2021
"os"
2122
"path/filepath"
2223
"strings"
@@ -225,6 +226,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
225226
if username := securityContext.GetRunAsUsername(); username != "" {
226227
specOpts = append(specOpts, oci.WithUsername(username))
227228
}
229+
if gid := securityContext.GetRunAsGroup(); gid != nil {
230+
if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" {
231+
return nil, errors.New("user group is specified without user")
232+
}
233+
// TODO(random-liu): Add WithGroupID in containerd client.
234+
specOpts = append(specOpts,
235+
func(_ gocontext.Context, _ oci.Client, _ *containers.Container, s *runtimespec.Spec) error {
236+
s.Process.User.GID = uint32(gid.GetValue())
237+
return nil
238+
},
239+
)
240+
}
228241

229242
apparmorSpecOpts, err := generateApparmorSpecOpts(
230243
securityContext.GetApparmorProfile(),

pkg/server/sandbox_run.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,14 @@ limitations under the License.
1717
package server
1818

1919
import (
20+
gocontext "context"
2021
"fmt"
2122
"os"
2223
"strings"
2324

2425
"github.com/containerd/containerd"
2526
containerdio "github.com/containerd/containerd/cio"
27+
"github.com/containerd/containerd/containers"
2628
"github.com/containerd/containerd/errdefs"
2729
"github.com/containerd/containerd/linux/runctypes"
2830
"github.com/containerd/containerd/oci"
@@ -148,6 +150,18 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
148150
if uid := securityContext.GetRunAsUser(); uid != nil {
149151
specOpts = append(specOpts, oci.WithUserID(uint32(uid.GetValue())))
150152
}
153+
if gid := securityContext.GetRunAsGroup(); gid != nil {
154+
if securityContext.GetRunAsUser() == nil {
155+
return nil, errors.New("user group is specified without user")
156+
}
157+
// TODO(random-liu): Add WithGroupID in containerd client.
158+
specOpts = append(specOpts,
159+
func(_ gocontext.Context, _ oci.Client, _ *containers.Container, s *runtimespec.Spec) error {
160+
s.Process.User.GID = uint32(gid.GetValue())
161+
return nil
162+
},
163+
)
164+
}
151165

152166
seccompSpecOpts, err := generateSeccompSpecOpts(
153167
securityContext.GetSeccompProfilePath(),

0 commit comments

Comments
 (0)